A new banking Trojan targeting Google Android devices, dubbed “Antidot,” has emerged, disguising itself as a Google Play update. The malware displays fake Google Play update pages in multiple languages, indicating potential targets in various regions. Antidot employs overlay attacks and keylogging techniques to efficiently harvest sensitive information, such as login credentials, from unsuspecting users.
Overlay Attacks and Keylogging
Overlay attacks create fake interfaces that mimic legitimate apps, tricking users into entering their information, while keylogging captures every keystroke the user makes. This allows the malware to collect comprehensive data, including passwords and other sensitive inputs.
Malware Functionality
Rupali Parate, an Android malware researcher, explains that Antidot leverages an “Accessibility” service to function. Once installed and granted permission, it communicates with its command-and-control (C2) server to receive commands and register the device with a bot ID. The malware sends a list of installed application package names to the server, identifying target applications.
Upon identifying a target, the server sends an overlay injection URL (an HTML phishing page) that is displayed to the victim whenever they open the genuine application. When victims enter their credentials on this fake page, the keylogger module transmits the data to the C2 server, allowing the malware to harvest credentials.
Real-Time Control and Remote Access
Antidot uses WebSocket to maintain real-time, bidirectional communication with its C2 server, enabling the execution of commands and giving attackers significant control over infected devices. The malware can collect SMS messages, initiate USSD requests, and remotely control device features such as the camera and screen lock.
Furthermore, Antidot implements VNC (Virtual Network Computing) using MediaProjection, allowing remote control of infected devices. This capability maximizes the potential for exploitation of the victim’s financial resources and personal data, as hackers can monitor real-time activities, perform unauthorized transactions, and manipulate the device as if they were physically holding it.
Evolving Threat and Countermeasures
The emergence of Android banking Trojans poses a significant threat because they can bypass traditional security measures, exploit user trust, and gain extensive access to personal and financial information. These Trojans are growing more sophisticated through advanced obfuscation techniques, real-time C2 communication, and multilayered attack strategies.
Parate emphasizes the need for improved security measures and user awareness to combat increasingly sophisticated mobile malware. The evolution of threats like Antidot underscores the importance of implementing robust cybersecurity measures, such as strong authentication mechanisms, regular software updates, and user education on identifying and avoiding potential threats.